Why is a pre-checked checkbox a TCPA violation?

TCPA requires prior *express* written consent — meaning an affirmative act by the consumer. A pre-checked box is a passive default. The consumer never actively agreed to receive texts; they simply failed to uncheck a box. Courts treat this as no consent at all.

Which form builders default to pre-checked checkboxes?

ClickFunnels, older WPForms configurations, some Elementor form templates, and certain GoHighLevel snapshot forms have shipped with pre-checked consent boxes. Always verify checkbox default state before any campaign launch.

Does the Johnson standard apply to all SMS consent forms?

The Johnson standard and similar rulings apply broadly to any TCPA consent mechanism. The core principle — that consent must be an unambiguous affirmative act — is consistent across federal circuits.

Can I fix a pre-checked checkbox retroactively and keep the contacts?

No. Contacts collected with a pre-checked checkbox never gave valid consent. Continuing to text them after fixing the form is still a TCPA violation. Those contacts need a re-consent campaign or must be suppressed.

What's the minimum a consent checkbox disclosure must say?

It must name your business, describe what messages consumers will receive, state message frequency, include 'message and data rates may apply,' and provide STOP/HELP instructions. It must be visible before the checkbox, not buried in a linked document.

Pre-Checked Checkbox TCPA Violation: Audit & Fix Guide

A SaaS company launched an SMS drip campaign to 12,000 leads collected over 18 months. Six weeks in, a plaintiff's attorney sent a demand letter. The violation: their signup form had a pre-checked consent checkbox. A developer had set `checked="true"` in the HTML. The company had been texting 12,000 people who never actually opted in.

Potential exposure: $18 million.

A pre-checked consent checkbox is the most common accidental TCPA violation in digital marketing — and one of the most legally indefensible. Here's why it happens, exactly how courts rule on it, and what your forms must look like to be compliant.

What Makes a Consent Checkbox "Pre-Checked"

A consent checkbox is pre-checked when it arrives on the page already selected. The consumer must actively uncheck it to opt out. From a UX perspective, this increases conversions. From a legal perspective, it creates zero valid consent.

The HTML looks like this:

html

<!-- Pre-checked — TCPA VIOLATION -->
<input type="checkbox" name="sms_consent" checked="true">

<!-- Unchecked by default — COMPLIANT -->
<input type="checkbox" name="sms_consent">

One attribute. $1,500 per message in liability.

Why Pre-Checked Boxes Fail the Affirmative Act Test

Federal courts have established a clear principle across multiple TCPA cases: consent requires an unambiguous affirmative act by the consumer. A pre-checked box fails this test because:

The consumer never took a positive action to opt in
The default state favors the business, not the consumer
The consent was effectively manufactured by the form designer, not chosen by the consumer

The FTC has stated that pre-checked boxes "do not constitute express consent" in guidance documents that TCPA courts have cited. The FCC's rulemaking is equally clear: the consumer must take an affirmative action to consent.

Courts have found that even when a consumer submits a form with a pre-checked box without unchecking it, that submission does not constitute valid TCPA consent. If you run a Shopify store specifically, the Johnson v. Human Power of N standard and what it means for your checkout consent checkbox is covered in detail. This guide focuses on the platform-agnostic audit: ClickFunnels, GoHighLevel, WPForms, Elementor, and any other builder your team uses.

Form Builders That Create This Problem

Several popular form tools have shipped default templates with pre-checked consent boxes. These are the platforms where you need to audit your settings:

GoHighLevel

GHL's older snapshot templates and some marketplace funnels have shipped with pre-checked SMS consent checkboxes. In the form builder, check the default checkbox state under Form Settings → Field Properties → Default Value. It should be empty, not checked.

ClickFunnels

ClickFunnels 2.0 form elements can be configured with a "checked by default" option. This is often enabled by funnel builders trying to boost opt-in rates. Any funnel using this configuration is creating TCPA liability.

WPForms / Gravity Forms

WordPress form plugins allow checkbox defaults. If you added a consent checkbox field and set a default value, verify that default is unchecked.

Elementor Forms

Elementor's checkbox widget has a "checked by default" toggle. It's turned off by default in newer versions but may be enabled in legacy forms.

HubSpot Forms

HubSpot forms allow pre-population of field values. If a consent checkbox is pre-populated via URL parameter or smart field rules, that creates the same problem.

The Disclosure Placement Problem

A compliant consent checkbox has two requirements, not one:

The checkbox must be unchecked by default
The disclosure language must appear before (or immediately adjacent to) the checkbox

Businesses that fix the checked state but leave the disclosure buried below the fold, inside a collapsed accordion, or linked to a separate page are still creating consent validity problems.

The disclosure must be readable without any additional navigation. If a user would have to scroll, click, or expand something to see the consent language before checking the box, the consent is weaker and more challengeable.

Compliant placement example:

☐ I agree to receive promotional text messages from [Business Name] about [topic]. Message frequency varies. Message & data rates may apply. Reply STOP to cancel. Reply HELP for help. [Terms] [Privacy]

The entire disclosure is visible, next to an unchecked box, before the submit button.

How to Audit Your Forms Right Now

Run this audit on every form that collects phone numbers across your business:

1. Inspect the HTML source

Right-click → View Page Source → search for `type="checkbox"` or `input[type=checkbox]`. Look for any `checked` attribute on SMS consent fields. If you find it, it needs to be removed.

2. Test in incognito mode

Load each form in a fresh incognito window (no cookies, no pre-fill). Is the SMS consent checkbox checked or unchecked when the page loads? If checked, it's non-compliant.

3. Check your form builder's default field values

In every form builder you use, find your SMS consent checkbox field and verify the default value is not set to "checked" or "true."

4. Review imported or templated forms

If you used a snapshot, template, or purchased funnel, the consent configuration may have been set by whoever built the template — not you. Audit every form you didn't build from scratch.

5. Review CTA-triggered forms

Popups and modal forms triggered by scroll depth or exit intent are often configured separately from page forms. Audit these independently.

What to Do With Contacts Collected via Pre-Checked Forms

If you discover you have been collecting SMS consent via a pre-checked checkbox, the contacts collected are not legally consented. Here is what to do:

Stop sending to those contacts immediately. Every additional message is a new TCPA violation.

Suppress the list. Export the affected contacts into a separate suppression list. Do not send to them until you have valid re-consent.

Run a re-consent campaign via email. If you have email addresses for these contacts, send a single re-consent email asking them to opt in to your SMS program via a new, compliant form. Do not use SMS to request SMS re-consent — that message itself would be a violation.

Document what you found and fixed. If you receive a demand letter, showing that you identified the problem, stopped texting, and fixed the process is meaningful evidence of good faith. It doesn't eliminate liability, but it matters in settlement negotiations.

Preventing Future Violations

Going forward, the only safe approach is to use a purpose-built consent form widget that enforces unchecked defaults, captures session replay proof of the consumer's affirmative click, and stores the consent record in an append-only tamper-proof audit vault.

Do not rely on form builders to protect you legally. They are designed for conversion, not compliance. The $1,500 per message cost of a TCPA violation will dwarf any conversion lift from a pre-checked box.